Admin: Security: Add configuration setting 'security_password_rotate_days' to enable password rotation requirement - refs BT#21146 #4960

ywarnier · ywarnier · commit d4872441331a · 2023-11-06T00:36:02.000+01:00
diff --git a/main/auth/profile.php b/main/auth/profile.php
@@ -675,6 +675,25 @@ function show_image(image,width,height) {
     $sql = rtrim($sql, ',');
     if ($changePassword && !empty($password)) {
         UserManager::updatePassword(api_get_user_id(), $password);
+        if (api_get_configuration_value('security_password_rotate_days') > 0) {
+            $date = api_get_local_time(
+                null,
+                'UTC',
+                'UTC',
+                null,
+                null,
+                null,
+                'Y-m-d H:i:s'
+            );
+            $extraFieldValue = new ExtraFieldValue('user');
+            $extraFieldValue->save(
+                [
+                    'item_id' => $user->getId(),
+                    'variable' => 'password_updated_at',
+                    'value' => $date
+                ]
+            );
+        }
     }
 
     if (api_get_setting('profile', 'officialcode') === 'true' &&
diff --git a/main/auth/reset.php b/main/auth/reset.php
@@ -25,6 +25,10 @@
 $form = new FormValidator('reset', 'POST', api_get_self().'?token='.$token);
 $form->addElement('header', get_lang('ResetPassword'));
 $form->addHidden('token', $token);
+if (!empty($_GET['rotate'])) {
+    $form->addElement('html', Display::return_message(get_lang('PasswordExpiredPleaseSetNewPassword'), 'warning'));
+}
+
 $form->addElement(
     'password',
     'pass1',
@@ -83,6 +87,25 @@
                 $extraFieldValue->delete($value['id']);
             }
         }
+        if (api_get_configuration_value('security_password_rotate_days') > 0) {
+            $extraFieldValue = new ExtraFieldValue('user');
+            $date = api_get_local_time(
+                null,
+                'UTC',
+                'UTC',
+                null,
+                null,
+                null,
+                'Y-m-d H:i:s'
+            );
+            $extraFieldValue->save(
+                [
+                    'item_id' => $user->getId(),
+                    'variable' => 'password_updated_at',
+                    'value' => $date
+                ]
+            );
+        }
 
         Display::addFlash(Display::return_message(get_lang('Updated')));
         header('Location: '.api_get_path(WEB_PATH));
diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php
@@ -1661,6 +1661,23 @@ public static function update_user(
         if (!is_null($password)) {
             $user->setPlainPassword($password);
             Event::addEvent(LOG_USER_PASSWORD_UPDATE, LOG_USER_ID, $user_id);
+            $date = api_get_local_time(
+                null,
+                null,
+                null,
+                null,
+                null,
+                null,
+                'Y-m-d'
+            );
+            $extraFieldValue = new ExtraFieldValue('user');
+            $extraFieldValue->save(
+                [
+                    'item_id' => $user->getId(),
+                    'variable' => 'password_updated_at',
+                    'value' => $date
+                ]
+            );
         }
 
         $userManager->updateUser($user, true);
@@ -7683,29 +7700,75 @@ public static function deleteUserFiles($userId)
 
     public static function redirectToResetPassword($userId)
     {
-        if (!api_get_configuration_value('force_renew_password_at_first_login')) {
-            return;
+        $forceRenew = api_get_configuration_value('force_renew_password_at_first_login');
+
+        if ($forceRenew) {
+            $askPassword = self::get_extra_user_data_by_field(
+                $userId,
+                'ask_new_password'
+            );
+
+            if (!empty($askPassword) && isset($askPassword['ask_new_password']) &&
+                1 === (int)$askPassword['ask_new_password']
+            ) {
+                $uniqueId = api_get_unique_id();
+                $userObj = api_get_user_entity($userId);
+
+                $userObj->setConfirmationToken($uniqueId);
+                $userObj->setPasswordRequestedAt(new \DateTime());
+
+                Database::getManager()->persist($userObj);
+                Database::getManager()->flush();
+
+                $url = api_get_path(WEB_CODE_PATH).'auth/reset.php?token='.$uniqueId;
+                api_location($url);
+            }
         }
 
-        $askPassword = self::get_extra_user_data_by_field(
-            $userId,
-            'ask_new_password'
-        );
+        $forceRotateDays = api_get_configuration_value('security_password_rotate_days');
+        $forceRotate = false;
 
-        if (!empty($askPassword) && isset($askPassword['ask_new_password']) &&
-            1 === (int) $askPassword['ask_new_password']
-        ) {
-            $uniqueId = api_get_unique_id();
-            $userObj = api_get_user_entity($userId);
+        if ($forceRotateDays > 0) {
+            // get the date of the last password update recorded
+            $lastUpdate = self::get_extra_user_data_by_field(
+                $userId,
+                'password_updated_at'
+            );
 
-            $userObj->setConfirmationToken($uniqueId);
-            $userObj->setPasswordRequestedAt(new \DateTime());
+            if (empty($lastUpdate) or empty($lastUpdate['password_updated_at'])) {
+                error_log('No password_updated_at');
+                $userObj = api_get_user_entity($userId);
+                $registrationDate = $userObj->getRegistrationDate();
+                $now = new \DateTime(null, new DateTimeZone('UTC'));
+                $interval = $now->diff($registrationDate);
+                $daysSince = $interval->format('%a');
+                error_log('Days since registration: '.$daysSince);
+                if ($daysSince > $forceRotateDays) {
+                    error_log('We need to force reset');
+                    $forceRotate = true;
+                }
+            } else {
+                $now = new \DateTime(null, new DateTimeZone('UTC'));
+                $date = \DateTime::createFromFormat('Y-m-d H:i:s', $lastUpdate['password_updated_at'], new DateTimeZone('UTC'));
+                $interval = $now->diff($date);
+                $daysSince = $interval->format('%a');
+                if ($daysSince > $forceRotateDays) {
+                    $forceRotate = true;
+                }
+            }
+            if ($forceRotate) {
+                $uniqueId = api_get_unique_id();
+                $userObj = api_get_user_entity($userId);
+
+                $userObj->setConfirmationToken($uniqueId);
+                $userObj->setPasswordRequestedAt(new \DateTime());
 
-            Database::getManager()->persist($userObj);
-            Database::getManager()->flush();
+                Database::getManager()->persist($userObj);
+                Database::getManager()->flush();
 
-            $url = api_get_path(WEB_CODE_PATH).'auth/reset.php?token='.$uniqueId;
-            api_location($url);
+                $url = api_get_path(WEB_CODE_PATH).'auth/reset.php?token='.$uniqueId.'&rotate=1';
+                api_location($url);
+            }
         }
     }
 
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
@@ -2503,3 +2503,11 @@
 
 //hide copy icon in LP's authoring options
 //$_configuration['lp_hide_copy_option'] = false;
+
+// Password rotation
+// Requires creating a "Date and time" extra user field with the system id "password_updated_at"
+// Note: only a password change by the user itself will be taken into account.
+// Admins editing someone else's password do not count as a password update that would avoid the rotation request.
+// If this feature is enabled on an existing portal, the registration date of users will be taken as
+// the latest password change date.
+//$_configuration['security_password_rotate_days'] = 90;
